Scribe: @Suzanne Gonzales-Webb
Weekly calls Tuesdays 3PM ET
FreeConferenceCall Online Meeting Link https://www.freeconferencecall.com/join/security36
Dial-in Number (United States): (515) 604-9567 Access Code: 880898#
Motion to Approve with amendment to update # of approval 10/22 Minutes : (
Moved: JohnM Second: Mohammad
Approve: 12-Abstain: 0-Oppose: 0
|Sequoia CUI Discussions|
CUI Machine-Readable/Computable IG.
This is a new project to produce an IG in support of US realm implementation of HL7 Data Segmentation/labeling of messaging from US federal to recipients. Two ppts have been created that outline the requirements for this IG in detail. Call for approval and creation of PSS/IG
We have been working with sequoia. This is US Realm.
Next step is to draft a proposal with basic outline of project scope–specialization of DS4P and FHIR -
MOTION: Create a X-Paradigm IG covering security labeling cross the family, including wrappers.
Discussion: I don't believe we need a motion to create a PSS, question on resourcing has not been answered. Moving forward with the PSS may answer the question.
No Vote made (no second to motion)
A PSS will be created and brought back to the WG for discussion
|EPIC Access Control|
Isaac Vetter - Presentation on EPIC's approach to granular access control and how it fits with standards we have in place (e.g., security labels) and guidance we would like to develop on granular scopes etc.
|Discussion pushed to 11/5 call|
|DaVinci IG Privacy and Security Considerations|
Continue discussion 10/29 because DaVinci team has conflicts
Mohammad Jafari and Kathleen offer additional Privacy and Security Considerations for
John suggested possible additions to Security Module AnonymousRead, or BusinessSensitive classifications http://build.fhir.org/security.html#Anonymous as well.
ACTION: Craft on FHIR-Security call. to work on appropriate language with John Moehrke JohnM (and others via e-mail)
This is a general IG
Kathleen - Submitted 6 initial proposals. Last meeting 3 were approved, and 3 pended for completion. WG needs to review the pending 3. See Proposals November Harmonization
review of Harmonization Proposals
4 - (typo)
5 - CDS Compartment (final approval from CBCP once Kathleen has spoken to WG)
6 - Specialize MDHHS-5515 (Michigan consent to care), change is due to change in law
Harmonization Dates: Initial proposals due 10/26; final submissions due 11/29; Harmonization meeting scheduled for 12/15.
MOTION: for Security WG to co-sponsor Harmonization Proposals 4,5,6 (Suzanne/no second)
Discussion: These are initial proposals, so there is time for refinement)
John Moehrke - call cancelled. He discussed his effort to get more participants on the FHIR Security calls.
Hi FHIR and Security community
We have not been getting good attendance at the scheduled FHIR Security call. I want to find a better time to hold these weekly meetings. I want to get more participation from those that are addressing security problems.
Looking for those interested, so that I can assure a doodle poll starts with a good core group.
These topics include some discussions that have popped up on zulip, but have never been brought to the security workgroup
* Basic Provenance in FHIR
* AuditEvent supporting Patient Empowerment
* Additional guidance for the core security pages
* Security around FHIR Subscription
* Security around bulk-data access
* Security around multi-organization interactions (e.g. HIE)
* App dynamic registration
* Updating of SMART-on-FHIR with next kind of use-case (tbd)
* Templating of IG to drive Security Considerations
* Templating of IG to drive consistent use of Provenance, AuditEvent, and Signatures
* Definition of a new Resource for Permission use-cases
* Creation of a library of security/privacy focused IG that can be included in 'other' IG as modular security solutions (similar to how SMART-on-FHIR is used today, but supporting other security models). This might be where the subscription, bulk-data, and multi-organization solutions are organized for easy use.
First I want to get in touch with people who might want to participate. From that group we will define a set of potential timeslots to put into a doodle poll to find a new timeslot. Please contact me directly if you are interested in the above topics.
If no one shows interest, then the above items will continue to be dreams...
Note the call time has moved to 1PM ET, which is the hour after the CBCP calls.
Discussion thread on Zulip @ https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy/topic/Proposed.20extension.20for.20CUI.20codes
|INFRASD vote on DaVinci Alert Notification|
PSS for DaVinci FHIR Alerts (Notifications) IG - Security cochairs need to vote.
Currently, ADT exchange approaches typically use HL7 V2 ADT messages. This a legacy EDI-style technology that uses HL7 specific protocols over ports that are not typically exposed to the internet. While HL7 V2 works well within the confines of a hospital system's intranet, it is not particularly well suited to cross-enterprise data exchange.
FHIR resources can be used to transport patient information relevant to a specific event (e.g. admission, discharge, change in treatment, new diagnosis) to another provider or the health plan to communicate the details of where care was delivered and help to ensure timely follow-up as needed. Health care stakeholders are increasingly responsible for knowing what care their patients have received and what care they need, regardless of where the patient sought care. This information can be used to build an encounter record in the receiving system with appropriate provenance and make it available to CDS and other local services.
Recommend that Security vote affirmative if the PSS Scope section includes the following statement
This project will note use case specific Privacy and Security Considerations, such as: “Implementers of the FHIR Alerts IG must be aware of (and adhere to) their responsibilities with respect to data sharing imposed by policy such as the need for providers and intermediaries to determine:
(1) whether payer recipients have or have had a relationship with the patient,
(2) that there are no consent directives required for sharing additionally protected information (e.g., a 42 CFR Part 2) or restricting the sharing (e.g., HIPAA consent for self-paid services) of the patient’s information, and
(3) that a FHIR Alert only includes the minimum necessary information required for a payer only for HIPAA Payment purposes, and for the care coordination and conduct care management activities permitted under HIPAA Operations.
This may involve allowing providers to review information prior to data transmission to the payer. Implementations SHALL permit provider review of data prior to transmission, but SHALL NOT require such review.”
(This comment is based on the approved resolution to my DaVinci PAS comment 24178.)
Discussion on CUI requirements - they seem to call for more than codes. (JohnM)
Encourage group to hop into ZULIP and provide opinions; join FHIR Security Meeting
Need to determine the scope of request for this Infrastructure Steering Division before discussing further.
Mike Davis - Consent approach in
Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act
116TH CONGRESS 1ST SESSION S. 2658 To promote competition and reduce consumer switching costs in the provision
of online communications services.
There would be a third party user to manage i.e. Facebook or google account. Its an interesting idea since we're looking at patients managing their data00something to follow for future capability for choices on protecting their data on a global manner. may solve the sharing problem, where patients manage their information without knowing the details of their provider details...wherein a third party manages the information.
|PSAF Provenance Volume 3 Ballot Reconciliation|
Kathleen - Discuss proposed resolutions for block votes
Bernd Blobel editorial comments 5, 42 - 57may be resolved without substantive changes across all PSAF volumes. Recommended disposition: Vote Persuasive - will make these non-substantive changes to align the references in all PSAF volumes with updated references.
HL7 Netherlands Affiliate votes 2, 12, 13, 29 are duplicate comments:
There is international agreement to apply ISO 23903 to ascertain the use of multiple standards in a layer or stack, or architecture. The HL7 v3 Privacy and Security Architecture Framework does not apply this, making it difficult for policy makers, business analysts and architects to set up a solid business approach in which the privacy and security architecture framework can. This ISO 23903 is an important requirement to apply the Framework in conjunction with other standards like architectures, messages, EHR-S standards, clinical models and more.
Recommended disposition: Vote Note Related: ISO 23903 is still a draft standard. There is no agreement that HL7 must align with this draft standard. All of the other PSAF Volumes were approved as normative without this comment. Only PSAF Volume 3 was in scope @ 201909 ballot. Security WG will consider ISO 23903 once adopted in any future updates to PSAF if this specification is made freely available to HL7 members.
Share with Protections
Update on SwP Part 1 and Part 2 (to be presented Drafts). Recommend FHIR IG PSS for SwP.
|(SP) 800-207, Zero Trust Architecture|
Mike Davis: Should HL7 Sec WG provide comments on NIST Zero Trust Architecture relevant to standards work? Reference HL7’s PSAF Vol 1 with links to relevant sections such as Fig 7, 9, 12, 18 etc.
|Federal Health IT Strategic Plan|
Mike Davis Should HL7 security comment on Federal Health IT Strategic Plan –
|WGM Report out|
Kathleen - Draft WGM Minutes - in process.
|Splitting PSAF - Mike||postponed discussion to next week|
|Adjournment||Meeting adjourned at|
Temporary Meeting Recording: https://fccdl.in/jvb1RAfOXN
|@Adam Wong firstname.lastname@example.org||HHS|
Chris Shawn, Co-Chair
|Ready Computing||@David Staggs email@example.com||SRS|
|Dave Hill firstname.lastname@example.org||MITRE|
|Sequoia||Heather McComas email@example.com||AMA|
John Davis (Mike)
John Moehrke Co-Chair
|Aegis||Julie Chan firstname.lastname@example.org||HL7 FHIR|
Kathleen Connor Co-Chair
|VA (Book Zurman)||Laura Bright email@example.com|
|Laura Hoffman firstname.lastname@example.org||AMA||EMR Direct|
|Sequoia||Matthrew Reid email@example.com||AMA|
|VA (Book Zurman)||PJM Consulting|
@Ricky Sahu, @1up.health
Robert Dieterle firstname.lastname@example.org
|Saul Kravitz email@example.com||MITRE|
|Stephen MacVicar firstname.lastname@example.org||MITRE||VA (Book Zurman)|
|Terence Cunningham email@example.com (Terry)||AMA|
|@Trish Williams Co-Chair||Flinders University|